When the "R" in GRC Becomes 'Risky Business'

The point of my catchy title is not to remind you of the popular 80's Tom Cruise movie (though most of you are probably already hearing the opening piano riff from Bob Seger's Old Time Rock & Roll racing through your mind). My intent is to explain the ?Risky Business' of waiting too long to begin a governance, risk and compliance program.
Far too often I see companies wait ?and wait ?and wait because they don't think they need an IT GRC program. I continuously hear statements like, "We're not big enough," "We're not ready," "We don't have the budget," or my personal favorite, "We really don't have any risks to warrant such a program." And that's usually When it happens ? a data breach (a laptop goes missing with sensitive data, a key financial system gets hacked, a disgruntled employee sabotages a legacy system) or any type of compliance deficiency. That's When it's too late to be proactive with GRC and ?Risky Business' sets in.
Why is waiting so risky? Well, now a company has to take reactive security measures and not only has to implement some type of IT security or GRC initiative, but also has to simultaneously manage the chaos and events from the fallout of the data breach. And, who knows how many thousands of dollars will be spent in remediation of the breach. Far too often these companies end up spending significantly more than they would have had they proactively implemented the GRC program months earlier, before they felt the pain of a data breach.
Does having a GRC program make you bullet proof from a data breach? No, but it does show your stakeholders that you take security seriously, and you had safeguards in place to prevent such an attack. And, having a sound GRC program puts you in a much better position for breach response.
This business of risky management vs. risk management is a sad but true trend in the IT GRC space. The solution: begin an IT GRC program before you feel the pain from the ?Risky Business' of waiting too long to say Now.